Skip to content

Instantly share code, notes, and snippets.

@goncalor
Last active April 22, 2024 15:02
Show Gist options
  • Save goncalor/a01ba66927c0dc704000d7bf1327d36e to your computer and use it in GitHub Desktop.
Save goncalor/a01ba66927c0dc704000d7bf1327d36e to your computer and use it in GitHub Desktop.
MSMQ Nmap service probe

MSMQ Nmap service probe

⚠️ Disclaimer: testing of this probe is limited and the MSMQ protocol is proprietary and undocumented. Use this probe at your own risk. ⚠️

Nmap currently has no way to detect whether the service running on TCP port 1801 is Microsoft Message Queuing (MSMQ). The file msmq-service-probe here has been developed to give Nmap the capability to detect MSMQ. The objective is to help identify assets with MSMQ exposed, that may be vulnerable to CVE-2023-21554, aka QueueJumper.

This works by sending a MSMQ packet to port 1801 and checking if the response matches an expected fingerprint.

You can run this probe as follows:

nmap -Pn -n -v -p1801 -sV --versiondb msmq-service-probe 127.0.0.1

If the service running on the port is MSMQ, Nmap will output the following:

PORT     STATE SERVICE VERSION
1801/tcp open  msmq    Microsoft MQ

If the server is not MSMQ this is printed instead:

PORT     STATE SERVICE VERSION
1801/tcp open  msmq?
# Nmap service detection probe list -*- mode: fundamental; -*-
#
# This is a database of custom probes and expected responses that the
# Nmap Security Scanner ( https://nmap.org ) uses to
# identify what services (eg http, smtp, dns, etc.) are listening on
# open ports. Contributions to this database are welcome.
# Instructions for obtaining and submitting service detection fingerprints can
# be found in the Nmap Network Scanning book and online at
# https://nmap.org/book/vscan-community.html
#
# For details on how Nmap version detection works, why it was added,
# the grammar of this file, and how to detect and contribute new
# services, see https://nmap.org/book/vscan.html.
Exclude T:9100-9107
##############################NEXT PROBE##############################
# Microsoft MQ probe
Probe TCP NULL q|\x10\0\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xd2\x29\x1d\x06\x10\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
ports 1801
match msmq m|^\x10\x5a\x0b\0\x4c\x49\x4f\x52\x3c\x02\0\0\xff\xff\xff\xff\0\0\x02\0\x06\x55\x3d\x51\x36\xdf\xc7\x40\x96\x43\x17\x5c\x3c\xe7\x6c\xaa| p/Microsoft MQ/
# .*ZZZ$ should end the regex, but detection fails in some cases with this. Unsure why
totalwaitms 6000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment